Section R765-1010-5 - Notification of Significant Data Breaches(1)(a) If a significant data breach occurs either at an educational entity or a third-party contractor using data disclosed by an educational entity, the educational entity shall notify each student in writing whose personally identifiable student data was disclosed.(b) The notification shall include all components of the model data breach notification prepared under Subsection 53B-28-502(4)(b)(iii). An education entity may add additional content to the notification.(c) The educational entity may communicate the notification by any written means that the education entity routinely uses for official communications with individual students.(2) An education entity that provides notice of a data breach to affected individuals as required under any other law is deemed to have met the requirements of this rule with regard to the individuals so notified.(3) For notifications regarding release, access, or disclosure of a record containing protected health information as defined in 45 CFR Part 164, Standards for Privacy of Individually Identifiable Health Information, the education entity shall comply with that part.(4) The Office of the Commissioner of Higher Education may develop and communicate to each institution guidelines for compliance with this rule.Utah Admin. Code R765-1010-5
Adopted by Utah State Bulletin Number 2024-05, effective 2/14/2024